**DO NOT READ THIS FILE ON GITHUB, GUIDES ARE PUBLISHED ON https://guides.rubyonrails.org.** Configuring Rails Applications ============================== This guide covers the configuration and initialization features available to Rails applications. After reading this guide, you will know: * How to adjust the behavior of your Rails applications. * How to add additional code to be run at application start time. -------------------------------------------------------------------------------- Locations for Initialization Code --------------------------------- Rails offers four standard spots to place initialization code: * `config/application.rb` * Environment-specific configuration files * Initializers * After-initializers Running Code Before Rails ------------------------- In the rare event that your application needs to run some code before Rails itself is loaded, put it above the call to `require "rails/all"` in `config/application.rb`. Configuring Rails Components ---------------------------- In general, the work of configuring Rails means configuring the components of Rails, as well as configuring Rails itself. The configuration file `config/application.rb` and environment-specific configuration files (such as `config/environments/production.rb`) allow you to specify the various settings that you want to pass down to all of the components. For example, you could add this setting to `config/application.rb` file: ```ruby config.time_zone = 'Central Time (US & Canada)' ``` This is a setting for Rails itself. If you want to pass settings to individual Rails components, you can do so via the same `config` object in `config/application.rb`: ```ruby config.active_record.schema_format = :ruby ``` Rails will use that particular setting to configure Active Record. WARNING: Use the public configuration methods over calling directly to the associated class. e.g. `Rails.application.config.action_mailer.options` instead of `ActionMailer::Base.options`. NOTE: If you need to apply configuration directly to a class, use a [lazy load hook](https://api.rubyonrails.org/classes/ActiveSupport/LazyLoadHooks.html) in an initializer to avoid autoloading the class before initialization has completed. This will break because autoloading during initialization cannot be safely repeated when the app reloads. ### Versioned Default Values [`config.load_defaults`] loads default configuration values for a target version and all versions prior. For example, `config.load_defaults 6.1` will load defaults for all versions up to and including version 6.1. [`config.load_defaults`]: https://api.rubyonrails.org/classes/Rails/Application/Configuration.html#method-i-load_defaults Below are the default values associated with each target version. In cases of conflicting values, newer versions take precedence over older versions. #### Default Values for Target Version 7.1 - [`config.action_dispatch.default_headers`](#config-action-dispatch-default-headers): `{ "X-Frame-Options" => "SAMEORIGIN", "X-XSS-Protection" => "0", "X-Content-Type-Options" => "nosniff", "X-Permitted-Cross-Domain-Policies" => "none", "Referrer-Policy" => "strict-origin-when-cross-origin" }` - [`config.add_autoload_paths_to_load_path`](#config-add-autoload-paths-to-load-path): `false` - [`config.active_support.default_message_encryptor_serializer`](#config-active-support-default-message-encryptor-serializer): `:json` - [`config.active_support.default_message_verifier_serializer`](#config-active-support-default-message-verifier-serializer): `:json` #### Default Values for Target Version 7.0 - [`config.action_controller.raise_on_open_redirects`](#config-action-controller-raise-on-open-redirects): `true` - [`config.action_view.button_to_generates_button_tag`](#config-action-view-button-to-generates-button-tag): `true` - [`config.action_view.apply_stylesheet_media_default`](#config-action-view-apply-stylesheet-media-default): `false` - [`config.active_support.key_generator_hash_digest_class`](#config-active-support-key-generator-hash-digest-class): `OpenSSL::Digest::SHA256` - [`config.active_support.hash_digest_class`](#config-active-support-hash-digest-class): `OpenSSL::Digest::SHA256` - [`config.active_support.cache_format_version`](#config-active-support-cache-format-version): `7.0` - [`config.active_support.remove_deprecated_time_with_zone_name`](#config-active-support-remove-deprecated-time-with-zone-name): `true` - [`config.active_support.executor_around_test_case`](#config-active-support-executor-around-test-case): `true` - [`config.active_support.use_rfc4122_namespaced_uuids`](#config-active-support-use-rfc4122-namespaced-uuids): `true` - [`config.active_support.disable_to_s_conversion`](#config-active-support-disable-to-s-conversion): `true` - [`config.action_dispatch.return_only_request_media_type_on_content_type`](#config-action-dispatch-return-only-request-media-type-on-content-type): `false` - [`config.action_dispatch.cookies_serializer`](#config-action-dispatch-cookies-serializer): `:json` - [`config.action_mailer.smtp_timeout`](#config-action-mailer-smtp-timeout): `5` - [`config.active_storage.video_preview_arguments`](#config-active-storage-video-preview-arguments): `"-vf 'select=eq(n\\,0)+eq(key\\,1)+gt(scene\\,0.015),loop=loop=-1:size=2,trim=start_frame=1' -frames:v 1 -f image2"` - [`config.active_storage.multiple_file_field_include_hidden`](#config-active-storage-multiple-file-field-include-hidden): `true` - [`config.active_record.automatic_scope_inversing`](#config-active-record-automatic-scope-inversing): `true` - [`config.active_record.verify_foreign_keys_for_fixtures`](#config-active-record-verify-foreign-keys-for-fixtures): `true` - [`config.active_record.partial_inserts`](#config-active-record-partial-inserts): `false` - [`config.active_storage.variant_processor`](#config-active-storage-variant-processor): `:vips` - [`config.action_controller.wrap_parameters_by_default`](#config-action-controller-wrap-parameters-by-default): `true` - [`config.action_dispatch.default_headers`](#config-action-dispatch-default-headers): `{ "X-Frame-Options" => "SAMEORIGIN", "X-XSS-Protection" => "0", "X-Content-Type-Options" => "nosniff", "X-Download-Options" => "noopen", "X-Permitted-Cross-Domain-Policies" => "none", "Referrer-Policy" => "strict-origin-when-cross-origin" }` #### Default Values for Target Version 6.1 - [`config.active_record.has_many_inversing`](#config-active-record-has-many-inversing): `true` - [`config.active_record.legacy_connection_handling`](#config-active-record-legacy-connection-handling): `false` - [`config.active_storage.track_variants`](#config-active-storage-track-variants): `true` - [`config.active_storage.queues.analysis`](#config-active-storage-queues-analysis): `nil` - [`config.active_storage.queues.purge`](#config-active-storage-queues-purge): `nil` - [`config.action_mailbox.queues.incineration`](#config-action-mailbox-queues-incineration): `nil` - [`config.action_mailbox.queues.routing`](#config-action-mailbox-queues-routing): `nil` - [`config.action_mailer.deliver_later_queue_name`](#config-action-mailer-deliver-later-queue-name): `nil` - [`config.active_job.retry_jitter`](#config-active-job-retry-jitter): `0.15` - [`config.action_dispatch.cookies_same_site_protection`](#config-action-dispatch-cookies-same-site-protection): `:lax` - [`config.action_dispatch.ssl_default_redirect_status`](#config-action-dispatch-ssl-default-redirect-status) = `308` - [`ActiveSupport.utc_to_local_returns_utc_offset_times`](#activesupport-utc-to-local-returns-utc-offset-times): `true` - [`config.action_controller.urlsafe_csrf_tokens`](#config-action-controller-urlsafe-csrf-tokens): `true` - [`config.action_view.form_with_generates_remote_forms`](#config-action-view-form-with-generates-remote-forms): `false` - [`config.action_view.preload_links_header`](#config-action-view-preload-links-header): `true` #### Default Values for Target Version 6.0 - [`config.action_view.default_enforce_utf8`](#config-action-view-default-enforce-utf8): `false` - [`config.action_dispatch.use_cookies_with_metadata`](#config-action-dispatch-use-cookies-with-metadata): `true` - [`config.action_mailer.delivery_job`](#config-action-mailer-delivery-job): `"ActionMailer::MailDeliveryJob"` - [`config.active_storage.queues.analysis`](#config-active-storage-queues-analysis): `:active_storage_analysis` - [`config.active_storage.queues.purge`](#config-active-storage-queues-purge): `:active_storage_purge` - [`config.active_storage.replace_on_assign_to_many`](#config-active-storage-replace-on-assign-to-many): `true` - [`config.active_record.collection_cache_versioning`](#config-active-record-collection-cache-versioning): `true` #### Default Values for Target Version 5.2 - [`config.active_record.cache_versioning`](#config-active-record-cache-versioning): `true` - [`config.action_dispatch.use_authenticated_cookie_encryption`](#config-action-dispatch-use-authenticated-cookie-encryption): `true` - [`config.active_support.use_authenticated_message_encryption`](#config-active-support-use-authenticated-message-encryption): `true` - [`config.active_support.hash_digest_class`](#config-active-support-hash-digest-class): `OpenSSL::Digest::SHA1` - [`config.action_controller.default_protect_from_forgery`](#config-action-controller-default-protect-from-forgery): `true` - [`config.action_view.form_with_generates_ids`](#config-action-view-form-with-generates-ids): `true` #### Default Values for Target Version 5.1 - [`config.assets.unknown_asset_fallback`](#config-assets-unknown-asset-fallback): `false` - [`config.action_view.form_with_generates_remote_forms`](#config-action-view-form-with-generates-remote-forms): `true` #### Default Values for Target Version 5.0 - [`config.action_controller.per_form_csrf_tokens`](#config-action-controller-per-form-csrf-tokens): `true` - [`config.action_controller.forgery_protection_origin_check`](#config-action-controller-forgery-protection-origin-check): `true` - [`ActiveSupport.to_time_preserves_timezone`](#activesupport-to-time-preserves-timezone): `true` - [`config.active_record.belongs_to_required_by_default`](#config-active-record-belongs-to-required-by-default): `true` - [`config.ssl_options`](#config-ssl-options): `{ hsts: { subdomains: true } }` ### Rails General Configuration The following configuration methods are to be called on a `Rails::Railtie` object, such as a subclass of `Rails::Engine` or `Rails::Application`. #### `config.after_initialize` Takes a block which will be run _after_ Rails has finished initializing the application. That includes the initialization of the framework itself, engines, and all the application's initializers in `config/initializers`. Note that this block _will_ be run for rake tasks. Useful for configuring values set up by other initializers: ```ruby config.after_initialize do ActionView::Base.sanitized_allowed_tags.delete 'div' end ``` #### `config.asset_host` Sets the host for the assets. Useful when CDNs are used for hosting assets, or when you want to work around the concurrency constraints built-in in browsers using different domain aliases. Shorter version of `config.action_controller.asset_host`. #### `config.autoload_once_paths` Accepts an array of paths from which Rails will autoload constants that won't be wiped per request. Relevant if `config.cache_classes` is `false`, which is the default in the development environment. Otherwise, all autoloading happens only once. All elements of this array must also be in `autoload_paths`. Default is an empty array. #### `config.autoload_paths` Accepts an array of paths from which Rails will autoload constants. Default is an empty array. Since [Rails 6](upgrading_ruby_on_rails.html#autoloading), it is not recommended to adjust this. See [Autoloading and Reloading Constants](autoloading_and_reloading_constants.html#autoload-paths). #### `config.add_autoload_paths_to_load_path` Says whether autoload paths have to be added to `$LOAD_PATH`. It is recommended to be set to `false` in `:zeitwerk` mode early, in `config/application.rb`. Zeitwerk uses absolute paths internally, and applications running in `:zeitwerk` mode do not need `require_dependency`, so models, controllers, jobs, etc. do not need to be in `$LOAD_PATH`. Setting this to `false` saves Ruby from checking these directories when resolving `require` calls with relative paths, and saves Bootsnap work and RAM, since it does not need to build an index for them. The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `true` | | 7.1 | `false` | #### `config.cache_classes` Controls whether or not application classes and modules should be reloaded if they change. When the cache is enabled (`true`), reloading will not occur. Defaults to `false` in the development environment, and `true` in production. In the test environment, the default is `false` if Spring is installed, `true` otherwise. #### `config.beginning_of_week` Sets the default beginning of week for the application. Accepts a valid day of week as a symbol (e.g. `:monday`). #### `config.cache_store` Configures which cache store to use for Rails caching. Options include one of the symbols `:memory_store`, `:file_store`, `:mem_cache_store`, `:null_store`, `:redis_cache_store`, or an object that implements the cache API. Defaults to `:file_store`. See [Cache Stores](caching_with_rails.html#cache-stores) for per-store configuration options. #### `config.colorize_logging` Specifies whether or not to use ANSI color codes when logging information. Defaults to `true`. #### `config.consider_all_requests_local` Is a flag. If `true` then any error will cause detailed debugging information to be dumped in the HTTP response, and the `Rails::Info` controller will show the application runtime context in `/rails/info/properties`. `true` by default in the development and test environments, and `false` in production. For finer-grained control, set this to `false` and implement `show_detailed_exceptions?` in controllers to specify which requests should provide debugging information on errors. #### `config.console` Allows you to set the class that will be used as console when you run `bin/rails console`. It's best to run it in the `console` block: ```ruby console do # this block is called only when running console, # so we can safely require pry here require "pry" config.console = Pry end ``` #### `config.disable_sandbox` Controls whether or not someone can start a console in sandbox mode. This is helpful to avoid a long running session of sandbox console, that could lead a database server to run out of memory. Defaults to false. #### `config.eager_load` When `true`, eager loads all registered `config.eager_load_namespaces`. This includes your application, engines, Rails frameworks, and any other registered namespace. #### `config.eager_load_namespaces` Registers namespaces that are eager loaded when `config.eager_load` is set to `true`. All namespaces in the list must respond to the `eager_load!` method. #### `config.eager_load_paths` Accepts an array of paths from which Rails will eager load on boot if `config.cache_classes` is set to `true`. Defaults to every folder in the `app` directory of the application. #### `config.enable_dependency_loading` When true, enables autoloading, even if the application is eager loaded and `config.cache_classes` is set to `true`. Defaults to false. #### `config.encoding` Sets up the application-wide encoding. Defaults to UTF-8. #### `config.exceptions_app` Sets the exceptions application invoked by the `ShowException` middleware when an exception happens. Defaults to `ActionDispatch::PublicExceptions.new(Rails.public_path)`. #### `config.debug_exception_response_format` Sets the format used in responses when errors occur in the development environment. Defaults to `:api` for API only apps and `:default` for normal apps. #### `config.file_watcher` Is the class used to detect file updates in the file system when `config.reload_classes_only_on_change` is `true`. Rails ships with `ActiveSupport::FileUpdateChecker`, the default, and `ActiveSupport::EventedFileUpdateChecker` (this one depends on the [listen](https://github.com/guard/listen) gem). Custom classes must conform to the `ActiveSupport::FileUpdateChecker` API. #### `config.filter_parameters` Used for filtering out the parameters that you don't want shown in the logs, such as passwords or credit card numbers. It also filters out sensitive values of database columns when calling `#inspect` on an Active Record object. By default, Rails filters out passwords by adding the following filters in `config/initializers/filter_parameter_logging.rb`. ```ruby Rails.application.config.filter_parameters += [ :passw, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn ] ``` Parameters filter works by partial matching regular expression. #### `config.force_ssl` Forces all requests to be served over HTTPS, and sets "https://" as the default protocol when generating URLs. Enforcement of HTTPS is handled by the `ActionDispatch::SSL` middleware, which can be configured via `config.ssl_options`. #### `config.javascript_path` Sets the path where your app's JavaScript lives relative to the `app` directory. The default is `javascript`, used by [webpacker](https://github.com/rails/webpacker). An app's configured `javascript_path` will be excluded from `autoload_paths`. #### `config.log_formatter` Defines the formatter of the Rails logger. This option defaults to an instance of `ActiveSupport::Logger::SimpleFormatter` for all environments. If you are setting a value for `config.logger` you must manually pass the value of your formatter to your logger before it is wrapped in an `ActiveSupport::TaggedLogging` instance, Rails will not do it for you. #### `config.log_level` Defines the verbosity of the Rails logger. This option defaults to `:debug` for all environments except production, where it defaults to `:info`. The available log levels are: `:debug`, `:info`, `:warn`, `:error`, `:fatal`, and `:unknown`. #### `config.log_tags` Accepts a list of methods that the `request` object responds to, a `Proc` that accepts the `request` object, or something that responds to `to_s`. This makes it easy to tag log lines with debug information like subdomain and request id - both very helpful in debugging multi-user production applications. #### `config.logger` Is the logger that will be used for `Rails.logger` and any related Rails logging such as `ActiveRecord::Base.logger`. It defaults to an instance of `ActiveSupport::TaggedLogging` that wraps an instance of `ActiveSupport::Logger` which outputs a log to the `log/` directory. You can supply a custom logger, to get full compatibility you must follow these guidelines: * To support a formatter, you must manually assign a formatter from the `config.log_formatter` value to the logger. * To support tagged logs, the log instance must be wrapped with `ActiveSupport::TaggedLogging`. * To support silencing, the logger must include `ActiveSupport::LoggerSilence` module. The `ActiveSupport::Logger` class already includes these modules. ```ruby class MyLogger < ::Logger include ActiveSupport::LoggerSilence end mylogger = MyLogger.new(STDOUT) mylogger.formatter = config.log_formatter config.logger = ActiveSupport::TaggedLogging.new(mylogger) ``` #### `config.middleware` Allows you to configure the application's middleware. This is covered in depth in the [Configuring Middleware](#configuring-middleware) section below. #### `config.rake_eager_load` When `true`, eager load the application when running Rake tasks. Defaults to `false`. #### `config.reload_classes_only_on_change` Enables or disables reloading of classes only when tracked files change. By default tracks everything on autoload paths and is set to `true`. If `config.cache_classes` is `true`, this option is ignored. #### `config.credentials.content_path` Configures lookup path for encrypted credentials. #### `config.credentials.key_path` Configures lookup path for encryption key. #### `secret_key_base` Is used for specifying a key which allows sessions for the application to be verified against a known secure key to prevent tampering. Applications get a random generated key in test and development environments, other environments should set one in `config/credentials.yml.enc`. #### `config.require_master_key` Causes the app to not boot if a master key hasn't been made available through `ENV["RAILS_MASTER_KEY"]` or the `config/master.key` file. #### `config.public_file_server.enabled` Configures Rails to serve static files from the public directory. This option defaults to `true`, but in the production environment it is set to `false` because the server software (e.g. NGINX or Apache) used to run the application should serve static files instead. If you are running or testing your app in production using WEBrick (it is not recommended to use WEBrick in production) set the option to `true`. Otherwise, you won't be able to use page caching and request for files that exist under the public directory. #### `config.session_store` Specifies what class to use to store the session. Possible values are `:cookie_store`, `:mem_cache_store`, a custom store, or `:disabled`. `:disabled` tells Rails not to deal with sessions. This setting is configured via a regular method call, rather than a setter. This allows additional options to be passed: ```ruby config.session_store :cookie_store, key: "_your_app_session" ``` If a custom store is specified as a symbol, it will be resolved to the `ActionDispatch::Session` namespace: ```ruby # use ActionDispatch::Session::MyCustomStore as the session store config.session_store :my_custom_store ``` The default store is a cookie store with the application name as the session key. #### `config.ssl_options` Configuration options for the [`ActionDispatch::SSL`](https://api.rubyonrails.org/classes/ActionDispatch/SSL.html) middleware. The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `{}` | | 5.0 | `{ hsts: { subdomains: true } }` | #### `config.time_zone` Sets the default time zone for the application and enables time zone awareness for Active Record. ### Configuring Assets #### `config.assets.css_compressor` Defines the CSS compressor to use. It is set by default by `sass-rails`. The unique alternative value at the moment is `:yui`, which uses the `yui-compressor` gem. #### `config.assets.js_compressor` Defines the JavaScript compressor to use. Possible values are `:terser`, `:closure`, `:uglifier`, and `:yui`, which require the use of the `terser`, `closure-compiler`, `uglifier`, or `yui-compressor` gems respectively. #### `config.assets.gzip` A flag that enables the creation of gzipped version of compiled assets, along with non-gzipped assets. Set to `true` by default. #### `config.assets.paths` Contains the paths which are used to look for assets. Appending paths to this configuration option will cause those paths to be used in the search for assets. #### `config.assets.precompile` Allows you to specify additional assets (other than `application.css` and `application.js`) which are to be precompiled when `rake assets:precompile` is run. #### `config.assets.unknown_asset_fallback` Allows you to modify the behavior of the asset pipeline when an asset is not in the pipeline, if you use sprockets-rails 3.2.0 or newer. The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `true` | | 5.1 | `false` | #### `config.assets.prefix` Defines the prefix where assets are served from. Defaults to `/assets`. #### `config.assets.manifest` Defines the full path to be used for the asset precompiler's manifest file. Defaults to a file named `manifest-.json` in the `config.assets.prefix` directory within the public folder. #### `config.assets.digest` Enables the use of SHA256 fingerprints in asset names. Set to `true` by default. #### `config.assets.debug` Disables the concatenation and compression of assets. Set to `true` by default in `development.rb`. #### `config.assets.version` Is an option string that is used in SHA256 hash generation. This can be changed to force all files to be recompiled. #### `config.assets.compile` Is a boolean that can be used to turn on live Sprockets compilation in production. #### `config.assets.logger` Accepts a logger conforming to the interface of Log4r or the default Ruby `Logger` class. Defaults to the same configured at `config.logger`. Setting `config.assets.logger` to `false` will turn off served assets logging. #### `config.assets.quiet` Disables logging of assets requests. Set to `true` by default in `development.rb`. ### Configuring Generators Rails allows you to alter what generators are used with the `config.generators` method. This method takes a block: ```ruby config.generators do |g| g.orm :active_record g.test_framework :test_unit end ``` The full set of methods that can be used in this block are as follows: * `force_plural` allows pluralized model names. Defaults to `false`. * `helper` defines whether or not to generate helpers. Defaults to `true`. * `integration_tool` defines which integration tool to use to generate integration tests. Defaults to `:test_unit`. * `system_tests` defines which integration tool to use to generate system tests. Defaults to `:test_unit`. * `orm` defines which orm to use. Defaults to `false` and will use Active Record by default. * `resource_controller` defines which generator to use for generating a controller when using `bin/rails generate resource`. Defaults to `:controller`. * `resource_route` defines whether a resource route definition should be generated or not. Defaults to `true`. * `scaffold_controller` different from `resource_controller`, defines which generator to use for generating a _scaffolded_ controller when using `bin/rails generate scaffold`. Defaults to `:scaffold_controller`. * `test_framework` defines which test framework to use. Defaults to `false` and will use minitest by default. * `template_engine` defines which template engine to use, such as ERB or Haml. Defaults to `:erb`. ### Configuring Middleware Every Rails application comes with a standard set of middleware which it uses in this order in the development environment: #### `ActionDispatch::HostAuthorization` Prevents against DNS rebinding and other `Host` header attacks. It is included in the development environment by default with the following configuration: ```ruby Rails.application.config.hosts = [ IPAddr.new("0.0.0.0/0"), # All IPv4 addresses. IPAddr.new("::/0"), # All IPv6 addresses. "localhost", # The localhost reserved domain. ENV["RAILS_DEVELOPMENT_HOSTS"] # Additional comma-separated hosts for development. ] ``` In other environments `Rails.application.config.hosts` is empty and no `Host` header checks will be done. If you want to guard against header attacks on production, you have to manually permit the allowed hosts with: ```ruby Rails.application.config.hosts << "product.com" ``` The host of a request is checked against the `hosts` entries with the case operator (`#===`), which lets `hosts` support entries of type `Regexp`, `Proc` and `IPAddr` to name a few. Here is an example with a regexp. ```ruby # Allow requests from subdomains like `www.product.com` and # `beta1.product.com`. Rails.application.config.hosts << /.*\.product\.com/ ``` The provided regexp will be wrapped with both anchors (`\A` and `\z`) so it must match the entire hostname. `/product.com/`, for example, once anchored, would fail to match `www.product.com`. A special case is supported that allows you to permit all sub-domains: ```ruby # Allow requests from subdomains like `www.product.com` and # `beta1.product.com`. Rails.application.config.hosts << ".product.com" ``` You can exclude certain requests from Host Authorization checks by setting `config.host_configuration.exclude`: ```ruby # Exclude requests for the /healthcheck/ path from host checking Rails.application.config.host_configuration = { exclude: ->(request) { request.path =~ /healthcheck/ } } ``` When a request comes to an unauthorized host, a default Rack application will run and respond with `403 Forbidden`. This can be customized by setting `config.host_configuration.response_app`. For example: ```ruby Rails.application.config.host_configuration = { response_app: -> env do [400, { "Content-Type" => "text/plain" }, ["Bad Request"]] end } ``` #### `ActionDispatch::SSL` Forces every request to be served using HTTPS. Enabled if `config.force_ssl` is set to `true`. Options passed to this can be configured by setting `config.ssl_options`. #### `ActionDispatch::Static` Is used to serve static assets. Disabled if `config.public_file_server.enabled` is `false`. Set `config.public_file_server.index_name` if you need to serve a static directory index file that is not named `index`. For example, to serve `main.html` instead of `index.html` for directory requests, set `config.public_file_server.index_name` to `"main"`. #### `ActionDispatch::Executor` Allows thread safe code reloading. Disabled if `config.allow_concurrency` is `false`, which causes `Rack::Lock` to be loaded. `Rack::Lock` wraps the app in mutex so it can only be called by a single thread at a time. #### `ActiveSupport::Cache::Strategy::LocalCache` Serves as a basic memory backed cache. This cache is not thread safe and is intended only for serving as a temporary memory cache for a single thread. #### `Rack::Runtime` Sets an `X-Runtime` header, containing the time (in seconds) taken to execute the request. #### `Rails::Rack::Logger` Notifies the logs that the request has begun. After request is complete, flushes all the logs. #### `ActionDispatch::ShowExceptions` Rescues any exception returned by the application and renders nice exception pages if the request is local or if `config.consider_all_requests_local` is set to `true`. If `config.action_dispatch.show_exceptions` is set to `false`, exceptions will be raised regardless. #### `ActionDispatch::RequestId` Makes a unique X-Request-Id header available to the response and enables the `ActionDispatch::Request#uuid` method. Configurable with `config.action_dispatch.request_id_header`. #### `ActionDispatch::RemoteIp` Checks for IP spoofing attacks and gets valid `client_ip` from request headers. Configurable with the `config.action_dispatch.ip_spoofing_check`, and `config.action_dispatch.trusted_proxies` options. #### `Rack::Sendfile` Intercepts responses whose body is being served from a file and replaces it with a server specific X-Sendfile header. Configurable with `config.action_dispatch.x_sendfile_header`. #### `ActionDispatch::Callbacks` Runs the prepare callbacks before serving the request. #### `ActionDispatch::Cookies` Sets cookies for the request. #### `ActionDispatch::Session::CookieStore` Is responsible for storing the session in cookies. An alternate middleware can be used for this by changing [`config.session_store`](#config-session-store). #### `ActionDispatch::Flash` Sets up the `flash` keys. Only available if [`config.session_store`](#config-session-store) is set to a value. #### `Rack::MethodOverride` Allows the method to be overridden if `params[:_method]` is set. This is the middleware which supports the PATCH, PUT, and DELETE HTTP method types. #### `Rack::Head` Converts HEAD requests to GET requests and serves them as so. #### Adding Custom Middleware Besides these usual middleware, you can add your own by using the `config.middleware.use` method: ```ruby config.middleware.use Magical::Unicorns ``` This will put the `Magical::Unicorns` middleware on the end of the stack. You can use `insert_before` if you wish to add a middleware before another. ```ruby config.middleware.insert_before Rack::Head, Magical::Unicorns ``` Or you can insert a middleware to exact position by using indexes. For example, if you want to insert `Magical::Unicorns` middleware on top of the stack, you can do it, like so: ```ruby config.middleware.insert_before 0, Magical::Unicorns ``` There's also `insert_after` which will insert a middleware after another: ```ruby config.middleware.insert_after Rack::Head, Magical::Unicorns ``` Middlewares can also be completely swapped out and replaced with others: ```ruby config.middleware.swap ActionController::Failsafe, Lifo::Failsafe ``` Middlewares can be moved from one place to another: ```ruby config.middleware.move_before ActionDispatch::Flash, Magical::Unicorns ``` This will move the `Magical::Unicorns` middleware before `ActionDispatch::Flash`. You can also move it after: ```ruby config.middleware.move_after ActionDispatch::Flash, Magical::Unicorns ``` They can also be removed from the stack completely: ```ruby config.middleware.delete Rack::MethodOverride ``` ### Configuring i18n All these configuration options are delegated to the `I18n` library. #### `config.i18n.available_locales` Defines the permitted available locales for the app. Defaults to all locale keys found in locale files, usually only `:en` on a new application. #### `config.i18n.default_locale` Sets the default locale of an application used for i18n. Defaults to `:en`. #### `config.i18n.enforce_available_locales` Ensures that all locales passed through i18n must be declared in the `available_locales` list, raising an `I18n::InvalidLocale` exception when setting an unavailable locale. Defaults to `true`. It is recommended not to disable this option unless strongly required, since this works as a security measure against setting any invalid locale from user input. #### `config.i18n.load_path` Sets the path Rails uses to look for locale files. Defaults to `config/locales/**/*.{yml,rb}`. #### `config.i18n.raise_on_missing_translations` Determines whether an error should be raised for missing translations in controllers and views. This defaults to `false`. #### `config.i18n.fallbacks` Sets fallback behavior for missing translations. Here are 3 usage examples for this option: * You can set the option to `true` for using default locale as fallback, like so: ```ruby config.i18n.fallbacks = true ``` * Or you can set an array of locales as fallback, like so: ```ruby config.i18n.fallbacks = [:tr, :en] ``` * Or you can set different fallbacks for locales individually. For example, if you want to use `:tr` for `:az` and `:de`, `:en` for `:da` as fallbacks, you can do it, like so: ```ruby config.i18n.fallbacks = { az: :tr, da: [:de, :en] } #or config.i18n.fallbacks.map = { az: :tr, da: [:de, :en] } ``` ### Configuring Active Model #### `config.active_model.i18n_customize_full_message` Is a boolean value which controls whether the `full_message` error format can be overridden at the attribute or model level in the locale files. This is `false` by default. ### Configuring Active Record `config.active_record` includes a variety of configuration options: #### `config.active_record.logger` Accepts a logger conforming to the interface of Log4r or the default Ruby Logger class, which is then passed on to any new database connections made. You can retrieve this logger by calling `logger` on either an Active Record model class or an Active Record model instance. Set to `nil` to disable logging. #### `config.active_record.primary_key_prefix_type` Lets you adjust the naming for primary key columns. By default, Rails assumes that primary key columns are named `id` (and this configuration option doesn't need to be set). There are two other choices: * `:table_name` would make the primary key for the Customer class `customerid`. * `:table_name_with_underscore` would make the primary key for the Customer class `customer_id`. #### `config.active_record.table_name_prefix` Lets you set a global string to be prepended to table names. If you set this to `northwest_`, then the Customer class will look for `northwest_customers` as its table. The default is an empty string. #### `config.active_record.table_name_suffix` Lets you set a global string to be appended to table names. If you set this to `_northwest`, then the Customer class will look for `customers_northwest` as its table. The default is an empty string. #### `config.active_record.schema_migrations_table_name` Lets you set a string to be used as the name of the schema migrations table. #### `config.active_record.internal_metadata_table_name` Lets you set a string to be used as the name of the internal metadata table. #### `config.active_record.protected_environments` Lets you set an array of names of environments where destructive actions should be prohibited. #### `config.active_record.pluralize_table_names` Specifies whether Rails will look for singular or plural table names in the database. If set to `true` (the default), then the Customer class will use the `customers` table. If set to false, then the Customer class will use the `customer` table. #### `config.active_record.default_timezone` Determines whether to use `Time.local` (if set to `:local`) or `Time.utc` (if set to `:utc`) when pulling dates and times from the database. The default is `:utc`. #### `config.active_record.schema_format` Controls the format for dumping the database schema to a file. The options are `:ruby` (the default) for a database-independent version that depends on migrations, or `:sql` for a set of (potentially database-dependent) SQL statements. #### `config.active_record.error_on_ignored_order` Specifies if an error should be raised if the order of a query is ignored during a batch query. The options are `true` (raise error) or `false` (warn). Default is `false`. #### `config.active_record.timestamped_migrations` Controls whether migrations are numbered with serial integers or with timestamps. The default is `true`, to use timestamps, which are preferred if there are multiple developers working on the same application. #### `config.active_record.lock_optimistically` Controls whether Active Record will use optimistic locking and is `true` by default. #### `config.active_record.cache_timestamp_format` Controls the format of the timestamp value in the cache key. Default is `:usec`. #### `config.active_record.record_timestamps` Is a boolean value which controls whether or not timestamping of `create` and `update` operations on a model occur. The default value is `true`. #### `config.active_record.partial_inserts` Is a boolean value and controls whether or not partial writes are used when creating new records (i.e. whether inserts only set attributes that are different from the default). The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `true` | | 7.0 | `false` | #### `config.active_record.partial_updates` Is a boolean value and controls whether or not partial writes are used when updating existing records (i.e. whether updates only set attributes that are dirty). Note that when using partial updates, you should also use optimistic locking `config.active_record.lock_optimistically` since concurrent updates may write attributes based on a possibly stale read state. The default value is `true`. #### `config.active_record.maintain_test_schema` Is a boolean value which controls whether Active Record should try to keep your test database schema up-to-date with `db/schema.rb` (or `db/structure.sql`) when you run your tests. The default is `true`. #### `config.active_record.dump_schema_after_migration` Is a flag which controls whether or not schema dump should happen (`db/schema.rb` or `db/structure.sql`) when you run migrations. This is set to `false` in `config/environments/production.rb` which is generated by Rails. The default value is `true` if this configuration is not set. #### `config.active_record.dump_schemas` Controls which database schemas will be dumped when calling `db:schema:dump`. The options are `:schema_search_path` (the default) which dumps any schemas listed in `schema_search_path`, `:all` which always dumps all schemas regardless of the `schema_search_path`, or a string of comma separated schemas. #### `config.active_record.belongs_to_required_by_default` Is a boolean value and controls whether a record fails validation if `belongs_to` association is not present. The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `nil` | | 5.0 | `true` | #### `config.active_record.action_on_strict_loading_violation` Enables raising or logging an exception if strict_loading is set on an association. The default value is `:raise` in all environments. It can be changed to `:log` to send violations to the logger instead of raising. #### `config.active_record.strict_loading_by_default` Is a boolean value that either enables or disables strict_loading mode by default. Defaults to `false`. #### `config.active_record.warn_on_records_fetched_greater_than` Allows setting a warning threshold for query result size. If the number of records returned by a query exceeds the threshold, a warning is logged. This can be used to identify queries which might be causing a memory bloat. #### `config.active_record.index_nested_attribute_errors` Allows errors for nested `has_many` relationships to be displayed with an index as well as the error. Defaults to `false`. #### `config.active_record.use_schema_cache_dump` Enables users to get schema cache information from `db/schema_cache.yml` (generated by `bin/rails db:schema:cache:dump`), instead of having to send a query to the database to get this information. Defaults to `true`. #### `config.active_record.cache_versioning` Indicates whether to use a stable `#cache_key` method that is accompanied by a changing version in the `#cache_version` method. The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `false` | | 5.2 | `true` | #### `config.active_record.collection_cache_versioning` Enables the same cache key to be reused when the object being cached of type `ActiveRecord::Relation` changes by moving the volatile information (max updated at and count) of the relation's cache key into the cache version to support recycling cache key. The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `false` | | 6.0 | `true` | #### `config.active_record.has_many_inversing` Enables setting the inverse record when traversing `belongs_to` to `has_many` associations. The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `false` | | 6.1 | `true` | #### `config.active_record.automatic_scope_inversing` Enables automatically inferring the `inverse_of` for associations with a scope. The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `false` | | 7.0 | `true` | #### `config.active_record.legacy_connection_handling` Allows to enable new connection handling API. For applications using multiple databases, this new API provides support for granular connection swapping. The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `true` | | 6.1 | `false` | #### `config.active_record.destroy_association_async_job` Allows specifying the job that will be used to destroy the associated records in background. It defaults to `ActiveRecord::DestroyAssociationAsyncJob`. #### `config.active_record.destroy_association_async_batch_size` Allows specifying the maximum number of records that will be destroyed in a background job by the `dependent: :destroy_async` association option. All else equal, a lower batch size will enqueue more, shorter-running background jobs, while a higher batch size will enqueue fewer, longer-running background jobs. This option defaults to `nil`, which will cause all dependent records for a given association to be destroyed in the same background job. #### `config.active_record.queues.destroy` Allows specifying the Active Job queue to use for destroy jobs. When this option is `nil`, purge jobs are sent to the default Active Job queue (see `config.active_job.default_queue_name`). It defaults to `nil`. #### `config.active_record.enumerate_columns_in_select_statements` When true, will always include column names in `SELECT` statements, and avoid wildcard `SELECT * FROM ...` queries. This avoids prepared statement cache errors when adding columns to a PostgreSQL database for example. Defaults to `false`. #### `config.active_record.verify_foreign_keys_for_fixtures` Ensures all foreign key constraints are valid after fixtures are loaded in tests. Supported by PostgreSQL and SQLite only. The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `false` | | 7.0 | `true` | #### `config.active_record.query_log_tags_enabled` Specifies whether or not to enable adapter-level query comments. Defaults to `false`. #### `config.active_record.query_log_tags` Define an `Array` specifying the key/value tags to be inserted in an SQL comment. Defaults to `[ :application ]`, a predefined tag returning the application name. #### `config.active_record.cache_query_log_tags` Specifies whether or not to enable caching of query log tags. For applications that have a large number of queries, caching query log tags can provide a performance benefit when the context does not change during the lifetime of the request or job execution. Defaults to `false`. #### `config.active_record.schema_cache_ignored_tables` Define the list of table that should be ignored when generating the schema cache. It accepts an `Array` of strings, representing the table names, or regular expressions. #### `config.active_record.verbose_query_logs` Specifies if source locations of methods that call database queries should be logged below relevant queries. By default, the flag is `true` in development and `false` in all other environments. #### `config.active_record.async_query_executor` Specifies how asynchronous queries are pooled. It defaults to `nil`, which means `load_async` is disabled and instead directly executes queries in the foreground. For queries to actually be performed asynchronously, it must be set to either `:global_thread_pool` or `:multi_thread_pool`. `:global_thread_pool` will use a single pool for all databases the application connects to. This is the preferred configuration for applications with only a single database, or applications which only ever query one database shard at a time. `:multi_thread_pool` will use one pool per database, and each pool size can be configured individually in `database.yml` through the `max_threads` and `min_thread` properties. This can be useful to applications regularly querying multiple databases at a time, and that need to more precisely define the max concurrency. #### `config.active_record.global_executor_concurrency` Used in conjunction with `config.active_record.async_query_executor = :global_thread_pool`, defines how many asynchronous queries can be executed concurrently. Defaults to `4`. This number must be considered in accordance with the database pool size configured in `database.yml`. The connection pool should be large enough to accommodate both the foreground threads (.e.g web server or job worker threads) and background threads. #### `ActiveRecord::ConnectionAdapters::Mysql2Adapter.emulate_booleans` Controls whether the Active Record MySQL adapter will consider all `tinyint(1)` columns as booleans. Defaults to `true`. #### `ActiveRecord::ConnectionAdapters::PostgreSQLAdapter.create_unlogged_tables` Controls whether database tables created by PostgreSQL should be "unlogged", which can speed up performance but adds a risk of data loss if the database crashes. It is highly recommended that you do not enable this in a production environment. Defaults to `false` in all environments. #### `ActiveRecord::ConnectionAdapters::PostgreSQLAdapter.datetime_type` Controls what native type the Active Record PostgreSQL adapter should use when you call `datetime` in a migration or schema. It takes a symbol which must correspond to one of the configured `NATIVE_DATABASE_TYPES`. The default is `:timestamp`, meaning `t.datetime` in a migration will create a "timestamp without time zone" column. To use "timestamp with time zone", change this to `:timestamptz` in an initializer. You should run `bin/rails db:migrate` to rebuild your schema.rb if you change this. #### `ActiveRecord::SchemaDumper.ignore_tables` Accepts an array of tables that should _not_ be included in any generated schema file. #### `ActiveRecord::SchemaDumper.fk_ignore_pattern` Allows setting a different regular expression that will be used to decide whether a foreign key's name should be dumped to db/schema.rb or not. By default, foreign key names starting with `fk_rails_` are not exported to the database schema dump. Defaults to `/^fk_rails_[0-9a-f]{10}$/`. ### Configuring Action Controller `config.action_controller` includes a number of configuration settings: #### `config.action_controller.asset_host` Sets the host for the assets. Useful when CDNs are used for hosting assets rather than the application server itself. You should only use this if you have a different configuration for Action Mailer, otherwise use `config.asset_host`. #### `config.action_controller.perform_caching` Configures whether the application should perform the caching features provided by the Action Controller component or not. Set to `false` in the development environment, `true` in production. If it's not specified, the default will be `true`. #### `config.action_controller.default_static_extension` Configures the extension used for cached pages. Defaults to `.html`. #### `config.action_controller.include_all_helpers` Configures whether all view helpers are available everywhere or are scoped to the corresponding controller. If set to `false`, `UsersHelper` methods are only available for views rendered as part of `UsersController`. If `true`, `UsersHelper` methods are available everywhere. The default configuration behavior (when this option is not explicitly set to `true` or `false`) is that all view helpers are available to each controller. #### `config.action_controller.logger` Accepts a logger conforming to the interface of Log4r or the default Ruby Logger class, which is then used to log information from Action Controller. Set to `nil` to disable logging. #### `config.action_controller.request_forgery_protection_token` Sets the token parameter name for RequestForgery. Calling `protect_from_forgery` sets it to `:authenticity_token` by default. #### `config.action_controller.allow_forgery_protection` Enables or disables CSRF protection. By default this is `false` in the test environment and `true` in all other environments. #### `config.action_controller.forgery_protection_origin_check` Configures whether the HTTP `Origin` header should be checked against the site's origin as an additional CSRF defense. The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `false` | | 5.0 | `true` | #### `config.action_controller.per_form_csrf_tokens` Configures whether CSRF tokens are only valid for the method/action they were generated for. The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `false` | | 5.0 | `true` | #### `config.action_controller.default_protect_from_forgery` Determines whether forgery protection is added on `ActionController::Base`. The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `false` | | 5.2 | `true` | #### `config.action_controller.urlsafe_csrf_tokens` Configures whether generated CSRF tokens are URL-safe. The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `false` | | 6.1 | `true` | #### `config.action_controller.relative_url_root` Can be used to tell Rails that you are [deploying to a subdirectory](configuring.html#deploy-to-a-subdirectory-relative-url-root). The default is `ENV['RAILS_RELATIVE_URL_ROOT']`. #### `config.action_controller.permit_all_parameters` Sets all the parameters for mass assignment to be permitted by default. The default value is `false`. #### `config.action_controller.action_on_unpermitted_parameters` Controls behavior when parameters that are not explicitly permitted are found. The default value is `:log` in test and development environments, `false` otherwise. The values can be: * `false` to take no action * `:log` to emit an `ActiveSupport::Notifications.instrument` event on the `unpermitted_parameters.action_controller` topic and log at the DEBUG level * `:raise` to raise a `ActionController::UnpermittedParameters` exception #### `config.action_controller.always_permitted_parameters` Sets a list of permitted parameters that are permitted by default. The default values are `['controller', 'action']`. #### `config.action_controller.enable_fragment_cache_logging` Determines whether to log fragment cache reads and writes in verbose format as follows: ``` Read fragment views/v1/2914079/v1/2914079/recordings/70182313-20160225015037000000/d0bdf2974e1ef6d31685c3b392ad0b74 (0.6ms) Rendered messages/_message.html.erb in 1.2 ms [cache hit] Write fragment views/v1/2914079/v1/2914079/recordings/70182313-20160225015037000000/3b4e249ac9d168c617e32e84b99218b5 (1.1ms) Rendered recordings/threads/_thread.html.erb in 1.5 ms [cache miss] ``` By default it is set to `false` which results in following output: ``` Rendered messages/_message.html.erb in 1.2 ms [cache hit] Rendered recordings/threads/_thread.html.erb in 1.5 ms [cache miss] ``` #### `config.action_controller.raise_on_open_redirects` Raises an `ArgumentError` when an unpermitted open redirect occurs. The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `false` | | 7.0 | `true` | #### `config.action_controller.log_query_tags_around_actions` Determines whether controller context for query tags will be automatically updated via an `around_filter`. The default value is `true`. #### `config.action_controller.wrap_parameters_by_default` Configures the [`ParamsWrapper`](https://api.rubyonrails.org/classes/ActionController/ParamsWrapper.html) to wrap json request by default. The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `false` | | 7.0 | `true` | #### `ActionController::Base.wrap_parameters` Configures the [`ParamsWrapper`](https://api.rubyonrails.org/classes/ActionController/ParamsWrapper.html). This can be called at the top level, or on individual controllers. ### Configuring Action Dispatch #### `config.action_dispatch.cookies_serializer` Specifies which serializer to use for cookies. For more information, see [Action Controller Cookies](action_controller_overview.html#cookies). The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `:marshal` | | 7.0 | `:json` | #### `config.action_dispatch.default_headers` Is a hash with HTTP headers that are set by default in each response. The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) |
{
"X-Frame-Options" => "SAMEORIGIN",
"X-XSS-Protection" => "1; mode=block",
"X-Content-Type-Options" => "nosniff",
"X-Download-Options" => "noopen",
"X-Permitted-Cross-Domain-Policies" => "none",
"Referrer-Policy" => "strict-origin-when-cross-origin"
}
| | 7.0 |
{
"X-Frame-Options" => "SAMEORIGIN",
"X-XSS-Protection" => "0",
"X-Content-Type-Options" => "nosniff",
"X-Download-Options" => "noopen",
"X-Permitted-Cross-Domain-Policies" => "none",
"Referrer-Policy" => "strict-origin-when-cross-origin"
}
| | 7.1 |
{
"X-Frame-Options" => "SAMEORIGIN",
"X-XSS-Protection" => "0",
"X-Content-Type-Options" => "nosniff",
"X-Permitted-Cross-Domain-Policies" => "none",
"Referrer-Policy" => "strict-origin-when-cross-origin"
}
| #### `config.action_dispatch.default_charset` Specifies the default character set for all renders. Defaults to `nil`. #### `config.action_dispatch.tld_length` Sets the TLD (top-level domain) length for the application. Defaults to `1`. #### `config.action_dispatch.ignore_accept_header` Is used to determine whether to ignore accept headers from a request. Defaults to `false`. #### `config.action_dispatch.x_sendfile_header` Specifies server specific X-Sendfile header. This is useful for accelerated file sending from server. For example it can be set to 'X-Sendfile' for Apache. #### `config.action_dispatch.http_auth_salt` Sets the HTTP Auth salt value. Defaults to `'http authentication'`. #### `config.action_dispatch.signed_cookie_salt` Sets the signed cookies salt value. Defaults to `'signed cookie'`. #### `config.action_dispatch.encrypted_cookie_salt` Sets the encrypted cookies salt value. Defaults to `'encrypted cookie'`. #### `config.action_dispatch.encrypted_signed_cookie_salt` Sets the signed encrypted cookies salt value. Defaults to `'signed encrypted cookie'`. #### `config.action_dispatch.authenticated_encrypted_cookie_salt` Sets the authenticated encrypted cookie salt. Defaults to `'authenticated encrypted cookie'`. #### `config.action_dispatch.encrypted_cookie_cipher` Sets the cipher to be used for encrypted cookies. This defaults to `"aes-256-gcm"`. #### `config.action_dispatch.signed_cookie_digest` Sets the digest to be used for signed cookies. This defaults to `"SHA1"`. #### `config.action_dispatch.cookies_rotations` Allows rotating secrets, ciphers, and digests for encrypted and signed cookies. #### `config.action_dispatch.use_authenticated_cookie_encryption` Controls whether signed and encrypted cookies use the AES-256-GCM cipher or the older AES-256-CBC cipher. The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `false` | | 5.2 | `true` | #### `config.action_dispatch.use_cookies_with_metadata` Enables writing cookies with the purpose metadata embedded. The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `false` | | 6.0 | `true` | #### `config.action_dispatch.perform_deep_munge` Configures whether `deep_munge` method should be performed on the parameters. See [Security Guide](security.html#unsafe-query-generation) for more information. It defaults to `true`. #### `config.action_dispatch.rescue_responses` Configures what exceptions are assigned to an HTTP status. It accepts a hash and you can specify pairs of exception/status. By default, this is defined as: ```ruby config.action_dispatch.rescue_responses = { 'ActionController::RoutingError' => :not_found, 'AbstractController::ActionNotFound' => :not_found, 'ActionController::MethodNotAllowed' => :method_not_allowed, 'ActionController::UnknownHttpMethod' => :method_not_allowed, 'ActionController::NotImplemented' => :not_implemented, 'ActionController::UnknownFormat' => :not_acceptable, 'ActionController::InvalidAuthenticityToken' => :unprocessable_entity, 'ActionController::InvalidCrossOriginRequest' => :unprocessable_entity, 'ActionDispatch::Http::Parameters::ParseError' => :bad_request, 'ActionController::BadRequest' => :bad_request, 'ActionController::ParameterMissing' => :bad_request, 'Rack::QueryParser::ParameterTypeError' => :bad_request, 'Rack::QueryParser::InvalidParameterError' => :bad_request, 'ActiveRecord::RecordNotFound' => :not_found, 'ActiveRecord::StaleObjectError' => :conflict, 'ActiveRecord::RecordInvalid' => :unprocessable_entity, 'ActiveRecord::RecordNotSaved' => :unprocessable_entity } ``` Any exceptions that are not configured will be mapped to 500 Internal Server Error. #### `config.action_dispatch.return_only_request_media_type_on_content_type` Change the return value of `ActionDispatch::Request#content_type` to the Content-Type header without modification. The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `true` | | 7.0 | `false` | #### `config.action_dispatch.cookies_same_site_protection` Configures the default value of the `SameSite` attribute when setting cookies. When set to `nil`, the `SameSite` attribute is not added. To allow the value of the `SameSite` attribute to be configured dynamically based on the request, a proc may be specified. For example: ```ruby config.action_dispatch.cookies_same_site_protection = ->(request) do :strict unless request.user_agent == "TestAgent" end ``` The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `nil` | | 6.1 | `:lax` | #### `config.action_dispatch.ssl_default_redirect_status` Configures the default HTTP status code used when redirecting non-GET/HEAD requests from HTTP to HTTPS in the `ActionDispatch::SSL` middleware. The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `307` | | 6.1 | `308` | #### `config.action_dispatch.log_rescued_responses` Enables logging those unhandled exceptions configured in `rescue_responses`. It defaults to `true`. #### `ActionDispatch::Callbacks.before` Takes a block of code to run before the request. #### `ActionDispatch::Callbacks.after` Takes a block of code to run after the request. ### Configuring Action View `config.action_view` includes a small number of configuration settings: #### `config.action_view.cache_template_loading` Controls whether or not templates should be reloaded on each request. Defaults to whatever is set for `config.cache_classes`. #### `config.action_view.field_error_proc` Provides an HTML generator for displaying errors that come from Active Model. The block is evaluated within the context of an Action View template. The default is ```ruby Proc.new { |html_tag, instance| content_tag :div, html_tag, class: "field_with_errors" } ``` #### `config.action_view.default_form_builder` Tells Rails which form builder to use by default. The default is `ActionView::Helpers::FormBuilder`. If you want your form builder class to be loaded after initialization (so it's reloaded on each request in development), you can pass it as a `String`. #### `config.action_view.logger` Accepts a logger conforming to the interface of Log4r or the default Ruby Logger class, which is then used to log information from Action View. Set to `nil` to disable logging. #### `config.action_view.erb_trim_mode` Gives the trim mode to be used by ERB. It defaults to `'-'`, which turns on trimming of tail spaces and newline when using `<%= -%>` or `<%= =%>`. See the [Erubis documentation](http://www.kuwata-lab.com/erubis/users-guide.06.html#topics-trimspaces) for more information. #### `config.action_view.frozen_string_literal` Compiles the ERB template with the `# frozen_string_literal: true` magic comment, making all string literals frozen and saving allocations. Set to `true` to enable it for all views. #### `config.action_view.embed_authenticity_token_in_remote_forms` Allows you to set the default behavior for `authenticity_token` in forms with `remote: true`. By default it's set to `false`, which means that remote forms will not include `authenticity_token`, which is helpful when you're fragment-caching the form. Remote forms get the authenticity from the `meta` tag, so embedding is unnecessary unless you support browsers without JavaScript. In such case you can either pass `authenticity_token: true` as a form option or set this config setting to `true`. #### `config.action_view.prefix_partial_path_with_controller_namespace` Determines whether or not partials are looked up from a subdirectory in templates rendered from namespaced controllers. For example, consider a controller named `Admin::ArticlesController` which renders this template: ```erb <%= render @article %> ``` The default setting is `true`, which uses the partial at `/admin/articles/_article.erb`. Setting the value to `false` would render `/articles/_article.erb`, which is the same behavior as rendering from a non-namespaced controller such as `ArticlesController`. #### `config.action_view.automatically_disable_submit_tag` Determines whether `submit_tag` should automatically disable on click, this defaults to `true`. #### `config.action_view.debug_missing_translation` Determines whether to wrap the missing translations key in a `` tag or not. This defaults to `true`. #### `config.action_view.form_with_generates_remote_forms` Determines whether `form_with` generates remote forms or not. The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | 5.1 | `true` | | 6.1 | `false` | #### `config.action_view.form_with_generates_ids` Determines whether `form_with` generates ids on inputs. The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `false` | | 5.2 | `true` | #### `config.action_view.default_enforce_utf8` Determines whether forms are generated with a hidden tag that forces older versions of Internet Explorer to submit forms encoded in UTF-8. The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `true` | | 6.0 | `false` | #### `config.action_view.image_loading` Specifies a default value for the `loading` attribute of `` tags rendered by the `image_tag` helper. For example, when set to `"lazy"`, `` tags rendered by `image_tag` will include `loading="lazy"`, which [instructs the browser to wait until an image is near the viewport to load it](https://html.spec.whatwg.org/#lazy-loading-attributes). (This value can still be overridden per image by passing e.g. `loading: "eager"` to `image_tag`.) Defaults to `nil`. #### `config.action_view.image_decoding` Specifies a default value for the `decoding` attribute of `` tags rendered by the `image_tag` helper. Defaults to `nil`. #### `config.action_view.annotate_rendered_view_with_filenames` Determines whether to annotate rendered view with template file names. This defaults to `false`. #### `config.action_view.preload_links_header` Determines whether `javascript_include_tag` and `stylesheet_link_tag` will generate a `Link` header that preload assets. The default value depends on the `config.load_defaults` target version: | Starting with version | The default value is | | --------------------- | -------------------- | | (original) | `nil` | | 6.1 | `true` | #### `config.action_view.button_to_generates_button_tag` Determines whether `button_to` will render `